search

aboutcode-org / license-expression

Utility library to parse, normalize and compare License expressions for Python using a boolean logic engine. For expressions using SPDX or any other license id scheme.
http://aboutcode.org
Other
58 stars 24 forks source link

Update SPDX license list version #71

Closed rnjudge closed 1 year ago

rnjudge commented 2 years ago

The license-expression README says that the current SPDX license list being used in the library is 3.13 but the latest SPDX license list is Version: 3.17 (as of 2022-05-08).

This library should be updated to use the current SPDX license list.

pombredanne commented 2 years ago

Hey :wave: Thanks for the report. This should come up soon after a beta release of SCTK.

rnjudge commented 2 years ago

Thanks @pombredanne! When is the beta release scheduled for?

pombredanne commented 2 years ago

@rnjudge Working on it! There have been already 5 betas published.

rnjudge commented 1 year ago

Hello @pombredanne -- any movement on this? We are using license-expression and some of the SPDX identifiers it is resolving for are deprecated in the latest SPDX license list which leads us to generate non compliant SPDX docs. For example, the LGPL-2.1 license expression.

pombredanne commented 1 year ago

@rnjudge let me push something this week...

We are using license-expression and some of the SPDX identifiers it is resolving for are deprecated in the latest SPDX license list which leads us to generate non compliant SPDX docs. For example, the LGPL-2.1 license expression.

Can you elaborate there? I think that by default this will always resolve correctly expressions that use deprecated SPDX license ids. What would you want to do instead?

rnjudge commented 1 year ago

I would hope that if a license identifer was no longer on the most current SPDX license list (i.e. it has been deprecated), get_spdx_licensing().validate("<deprecated_identifer>").errors == [] would return False (indicating the license is not a currently valid identifier).

However, I am realizing that even licenses that have been deprecated, such as LGPL-2.1, are still listed on the most recent license list, so this is probably not possible. That is unfortunate... is there a way to get only a current list of valid license identifiers from SPDX?

pombredanne commented 1 year ago

For each license key, the licenseDB at https://scancode-licensedb.aboutcode.org/ tracks the current SPDX id and "other_spdx_keys" for older, deprecated license. Therefore we should be able to create a "Licensing" object that uses a filtered subset of non-deprecated license keys and use this with a new function or a new arg for a strict validation of expressions, failing if a license key is obsolete at SPDX.

rnjudge commented 1 year ago

Hi @pombredanne I am still seeing the same issue with license-expression 30.1.0. It resolves deprecated licenses as valid and therefore, SPDX docs from Tern don't validate with those licesnes, i.e.:

This SPDX Document is not valid due to:
    Package at line 922 invalid: LGPL-2.0 is deprecated. in libnpth0
    Package at line 2728 invalid: GPL-2.0 is deprecated. in openSUSE-build-key
    Package at line 964 invalid: GPL-2.0 is deprecated. in fillup
    Package at line 2014 invalid: GPL-2.0 is deprecated. in pinentry
    Package at line 1195 invalid: GPL-3.0 is deprecated. in libksba8
    Package at line 1195 invalid: LGPL-3.0 is deprecated. in libksba8

Do you have suggestions for what Tern should do here?